Hi folks! I stumbled upon strange problem with applying securityContext.appArmorProfile.type on pod/container level, either when creating pod directly, or by Deployment/Daemonset/Statefullset.
When i’m applying manifest
apiVersion: v1
kind: Pod
metadata:
name: hello-apparmor
# annotations:
# container.apparmor.security.beta.kubernetes.io/hello: unconfined
spec:
securityContext:
appArmorProfile:
type: Unconfined
containers:
- name: hello
image: busybox:1.28
command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]
securityContext:
appArmorProfile:
type: Unconfined
the pod created have
spec:
containers:
- name: hello
securityContext: {}
securityContext: {}
but when the manifest have
metadata:
name: hello-apparmor
annotations:
container.apparmor.security.beta.kubernetes.io/hello: unconfined
the pod created have
spec:
containers:
- name: hello
securityContext:
appArmorProfile:
type: Unconfined
securityContext: {}
What i’ve double checked
- there’s no interfering validating/mutating webhooks
- no Pod Security Standard explicitly applied on the target namespace
Moreover, i have ± similar cluster, with the same set of software and same versions, which works like a champ.
Please dear colleagues, would be very grateful fresh ideas / troubleshooting scenarios / insights.
Br, Alexey
Cluster information:
Kubernetes version: v1.32.5+rke2r1
Cloud being used: bare-metal
Installation method: rke2
Host OS: Ubuntu 24.04.1 LTS
CNI and version: cilium v1.17.4
CRI and version: containerd v2.0.5-k3s1